parse-uri Regular Expression Denial-of-Service Vulnerability

A regular expression denial-of-service (ReDoS) vulnerability has been identified in the parse-uri library, specifically in version 1.0.9. This issue arises when an attacker crafts a URL that exploits the library's regex parsing, leading to a denial-of-service condition by causing excessive processing time.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, where the application becomes unresponsive or significantly slower due to the excessive processing of the crafted URL.

Reproduction

To reproduce this vulnerability, use parse-uri version 1.0.9 and provide a URL that includes repeating characters. The regex used for URL validation will be overwhelmed, causing a denial-of-service condition. This can be done by prefixing the URL with a character, repeating it many times, and adding a null byte followed by more repeated characters.